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This method and system allow for the controlled upgrading of program- 
ming in a set-top terminal of a cable television system. An upgrade order is 
transmitted over the cable plant from the system operator to the population of 
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programming for the terminal broadcast over the cable system. If the upgrade 
is partial, only specified objects are replaced. 






wkkvMlnQ from i^pQiwlft 
onlw 
4M 










FOR THE PURPOSES OF INFORMATION ONLY 



Codes used to identify States party to the PCT on the front pages of pamphlets publishing international applications under the PCT. 



AL 


Albania 


ES 


Spain 


LS 


Lesotho 


SI 


Slovenia 


AM 


Armenia 


Fl 


Finland 


LT 


Lithuania 


SK 


Slovakia 


AT 


Austria 


FR 


France 


LU 


Luxembourg 


SN 


Senega] 


AU 


Australia 


GA 


Gabon 


LV 


Latvia 


SZ 


Swaziland 


AZ 


Azerbaijan 


GB 


United Kingdom 


MC 


Monaco 


TO 


Chad 


BA 


Bosnia and Herzegovina 


GE 


Georgia 


MD 


Republic of Moldova 


TG 


Togo 


BB 


Barbados 


GH 


Ghana 


MG 


Madagascar 


TJ 


Tajikistan 


BE 


Belgium 


GN 


Guinea 


MK 


The former Yugoslav 


TM 


Turkmenistan 


BF 


Burkina Faso 


GR 


Greece 




Republic of Macedonia 


TR 


Turkey 


BG 


Bulgaria 


HU 


Hungary 


ML 


Mali 


TT 


Trinidad and Tobago 


BJ 


Benin 


IE 


Ireland 


MN 


Mongolia 


UA 


Ukraine 


BR 


Brazil 


IL 


Israel 


MR 


Mauritania 


UG 


Uganda 


BY 


Belarus 


IS 


Iceland 


MW 


Malawi 


US 


United States of America 


CA 


Canada 


IT 


Italy 


MX 


Mexico 


UZ 


Uzbekistan 


CF 


Central African Republic 


JP 


Japan 


NE 


Niger 


VN 


Vict Nam 


CG 


Congo 


KE 


Kenya 


NL 


Netherlands 


YU 


Yugoslavia 


CH 


Switzerland 


KG 


Kyrgyzstan 


NO 


Norway 


ZW 


Zimbabwe 


CI 


Cdte d'lvoire 


KP 


Democratic People's 


NZ 


New Zealand 






CM 


Cameroon 




Republic of Korea 


PL 


Poland 






CN 


China 


KR 


Republic of Korea 


PT 


Portugal 






CU 


Cuba 


KZ 


Kazakstan 


RO 


Romania 






CZ 


Czech Republic 


IX 


Saint Lucia 


RU 


Russian Federation 






DE 


Germany 


U 


Liechtenstein 


SD 


Sudan 






DK 


Denmark 


LK 


Sri Lanka 


SE 


Sweden 






EE 


Estonia 


LR 


Liberia 


SG 


Singapore 







WO 00/64178 PCT/US00/10015 

1 

TITLE OF THE INVENTION 

Method and System for Targeted or Universal Upgrades of 
Programming in a Population of Advanced Set-Top Boxes in a Cable 
Television System 

5 

RELATED APPLICATIONS 

This application claims priority from a previous U.S. provisional patent 
application entitled "Software and Firmware Initialization and Upgrade 
Management System and Method for an Advanced Set-Top Box in a Cable 
1 0 Television System," Serial No. 60/1 30,328, filed April 21,1 999. 

FIELD OF THE INVENTION 

The present invention relates to the field of updating the programming, i.e., 
software or firmware, in a population of set-top terminals connected to a cable 
1 5 television system. More particularly, the present invention aims to provide a 
method and system by which the cable television system operator can remotely 
effect a universal upgrade of set-top terminal programming or a targeted upgrade of 
the programming in one or a defined group of set-top terminals. 

20 BACKGROUND OF THE INVENTION 

In a typical cable television system, subscribers are provided with a set-top 
box or terminal. The set-top terminal is a box of electronic equipment that is used 
to connect the subscriber's television, and potentially other electronic equipment, 
with the cable network. The set-top box is usually connected to the cable network 

2 5 through a co-axial wall outlet. 

The set-top box is essentially a computer that is programmed to process the 
signals from the cable network so as to provide the subscriber with the cable 
services. These services from the cable television company typically include access 
to a number of television channels and, perhaps, an electronic program guide. 

3 0 Additional premium channels may also be provided to subscribers at an additional 

fee. Pay-per-view events and video-on-demand may also be provided over the cable 
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network. The set-top box is programmed to provide these and other services to the 
subscriber. 

However, the services of the cable company need not be limited to providing 
television programming. Some cable companies are now offering internet access 
5 and e-mail over their cable networks at speeds much faster than are available over 
conventional telephone lines. It is anticipated in the future that more and more 
services will be provided over the cable network, including even basic telephone 
service. Eventually, each home or office may have a single connection, via the 
cable network, to all electronic data services. 
1 0 When a new set-top terminal is added to the cable network, it must be 

initialized. To initialize a set-top terminal, the terminal must be provided with the 
programming required to allow it to function within the specific cable network to 
which it is connected and to thereby provide the services for which the subscriber 
has paid. Additionally, as the cable network and the services provided evolve, the 

1 5 set-top terminal must also evolve to be able to provide subscribers with all the 
services of the cable network. This set-top box evolution will primarily involve 
changes to the programming, or perhaps a re-initialization, of the set-top box. By 
upgrading the soft- or firmware of the set-top box, the box can be made to perform 
more efficiently or offer new services as the cable network evolves. 

2 0 In order to initialize new set-top terminals or upgrade the programming in 

the existing population of set-top boxes on a cable network, it is preferable to 
transmit the necessary programming to the set-top boxes via the cable network 
itself. Otherwise, a technician must visit each subscriber to install or upgrade the 
set-top boxes. Such field installations and upgrades would obviously be at 

2 5 significant expense. The headend is the facility from which the cable network 
operator broadcasts television signals and provides other services over the cable 
network. Software that is provided to the population of set-top terminals could be 
broadcast from the headend over the cable network. 

Consequently, there is a need in the art for a method and system that allow a 

30 cable television system operator to control a population of set-top terminal to 

appropriately accepted upgraded programming transmitted over the cable television 
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system. Additionally, it must be noted that over time the population of set-top 
terminals will likely come to include different makes and models of set-top 
terminals with different capacities. The software required to upgrade each make 
and model of set-top terminal may therefore be different. Consequently, there is a 
need in the art for a method of initiating an upgrade of only those specific set-top 
terminals requiring an upgrade and of matching the proper programming code to the 
capabilities of those set-top terminals being upgraded. 



SUMMARY OF THE INVENTION 

10 It is an object of the present invention to meet the above-described needs and 

others. Specifically, it is an object of the present invention to provide a method and 
system that allow a cable television system operator to control a population of set- 
top terminal to appropriately accepted upgraded programming transmitted over the 
cable television system. Additionally, it is a further object of the present invention 

15 to provide a method and system for initiating an upgrade of only those specific set- 
top terminals requiring an upgrade and for matching the proper programming code 
to the capabilities of those set-top terminals being upgraded. 

Additional objects, advantages and novel features of the invention will be set 
forth in the description which follows or may be learned by those skilled in the art 

2 0 through reading these materials or practicing the invention. The objects and 

advantages of the invention may be achieved through the means recited in the 
attached claims. 

To achieve these stated and other objects, the present invention may be 
embodied and described as a method for controlling an upgrade of programming in 
25 a population of set-top terminals connected to a cable television system. More 

specifically, the method of the present invention is performed by downloading and 
implementing upgraded programming that is transmitted over the cable television 
system to the population of set-top terminals, where one, some or all of the set-top 
terminals perform the downloading and implementing of the upgraded 

3 0 programming in response to an upgrade order transmitted over the cable television 

system to the set-top terminals. 
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To optimally control the acceptance and implementation of the 
programming, the method of the present invention may include specifying in the 
upgrade order whether the order is universal or targeted. If the order is specified as 
universal, the method continues with all the set-top terminals in the population that 
5 receive the upgrade order downloading and implementing the upgraded 
programming. 

Alternatively, if the order is specified as targeted, the method continues by 
specifying a terminal or group of terminals that are to respond to the upgrade order 
by downloading and implementing the upgraded programming. Consequently, each 

1 0 set-top terminal will compare a target specification transmitted with the upgrade 
order to a corresponding specification or set of specifications that is stored in that 
set-top terminal. Under the method of the present invention, downloading and 
implementing of the upgraded programming will be performed by any set-top 
terminal in which the target specification transmitted with the upgrade order 

1 5 matches any corresponding specification stored in that set-top terminal. 

The method of the present invention also preferably includes specifying in 
the upgrade order whether the order is complete or partial. If the upgrade order is 
specified as complete, the set-top terminal executing the upgrade order will 
terminate programming executing on that set-top terminal and will automatically 

20 execute boot code stored in each terminal. The executing boot code then performs 
the download and implementation of the upgraded programming. The method also 
preferably includes identifying, with the executing boot code, upgraded 
programming for download that is appropriate to that set-top terminal being 
upgraded by matching a platform identifier stored in that set-top terminal to a 

2 5 platform identifier in a download locator message that specifies where in a data 
transport stream that set-top terminal will acquire upgraded programming. 

Alternatively, if the upgrade order is specified as partial, the method of the 
present invention continues by specifying one or more elements of a native suite of 
the set-top terminals to be upgraded or added. In response, the method concludes by 

30 replacing or adding the one or more elements of the native suite specified by the 
upgrade order. 
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The present invention also encompasses the physical system and hardware 
necessary to implement the method described above. For example, the present 
invention also encompasses a system for controlled upgrading of programming in a 
population of set-top terminals connected to a cable television system that includes; 
5 ( 1 ) means for transmitting an upgrade order and upgraded programming to the set- 
top terminals over the cable television system; (2) means for receiving the upgrade 
order and upgraded programming in each of the set-top terminals; and, in each set- 
top terminal, (3) means for controlling download and implementation of the 
upgraded programming by that set-top terminal in accordance with the upgrade 
1 0 order. 



BRIEF DESCRIPTION OF THE DRAWINGS 

The accompanying drawings illustrate the present invention and are a part of 
the specification. Together with the following description, the drawings 
15 demonstrate and explain the principles of the present invention. 

Fig. I is a block diagram illustrating the three different stages at which 
different programming packages have control of the set-top terminal during the 
initialization process of the present invention. 

Fig. 2 is a flow chart illustrating the steps of the initialization process for a 
2 0 set-top terminal according to the present invention. 

Fig. 3 is a block diagram of the various memory devices and some code 
objects used in a set-top box according to the present invention. 

Fig. 4 is a flow chart illustrating the method of universally or specifically 
upgrading the programming in set-top terminals in a cable television system 

2 5 according to the present invention. 

DETAILED DESCRIPTION OF THE INVENTION: 

The present invention addresses the problems involved in upgrading the 
programming in existing set-top boxes or initializing new set-top boxes using 

3 0 programming code broadcast over the cable network. As a result, the set-top boxes 

always have the code objects necessary to allow those set-top boxes to function 
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optimally within the cable system and provide the services purchased by 
subscribers. 

Stated in broad principle, the present invention aims to provide a set-top 
terminal architecture that includes a resident boot code object. As shown in Fig. 3, 
5 the boot code object (302) resides in the set-top terminal (300), preferably in read- 
only memory (ROM) (301) and can automatically execute and initialize or re- 
initialize the set-top terminal. The boot code will preferably be automatically 
executed by the central processor (321) of the set-top terminal. Execution of the 
boot code may be triggered by and immediately follow connection of power to the 

1 0 set-top terminal. The present invention may additionally require connection of the 
transport stream (322) signal from the cable system to a tuner (323) controlled by 
the processor (321) before execution of the boot code is triggered. Once the boot 
code is executing, no further action by the user/installer need be required. 
Moreover, no specific interaction is required between the headend and the set-top 

15 terminal that is initializing or booting. 

As will be described in detail below, the boot code of the present invention 
will automatically find, download and begin execution of the correct software code 
object or objects needed to initialize or re-initialize the set-top terminal. The boot 
code will locate, identify and download the required programming from among 

2 0 potentially many code objects that might be multiplexed on the transport stream 
coming from the headend facility of the cable television system. The boot code 
recognizes the hardware configuration of the set-top terminal in which it resides via 
an internal ROM, protected Flash or other non-volatile memory coded identifier. 
This identifier is matched against a value carried in an object download locator 

25 message from the transport stream to insure that the boot code obtains and 

downloads objects appropriate to the set-top terminal in which the boot code is 
resident. 

Functionally, the boot code of the present invention will identify an 
appropriate control channel frequency, find the stream of control data packets 
30 within that control channel, identify and download the correct object from among 
the objects on the transport stream, verify that the downloaded code is authorized 
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and error-free, and start the downloaded code without direct assistance by a 
technician or intervention from the headend. The term "boot code" as used herein 
comprises the minimal code needed to accomplish this functionality. 

There are essentially two distinct phases of programming a set-top box 
5 addressed by the present invention. The first is the initial programming of the set- 
top box. The second is upgrading the programming or re-initialization of the set-top 
box after that box has been placed in service. 

The initial programming of the set-top box is often performed by the cable 
system operator after the set-top box has purchased from a manufacturer. Because 
L 0 each cable network is designed and built at different times by different service 
providers, each cable network may have a different design, architecture and code 
objects. Moreover, the specific services offered may vary among cable networks. 
Therefore, to adapt the set-top box to function within the specific environment of a 
service provider's cable system and to provide the specific group of services 
5 currently offered by that particular service provider, the set-top box must be 
programmed accordingly or "initialized." 

The process of initialization of a set-top terminal according to the present 
invention will now be explained. In order for a set-top terminal to be initialized, i.e., 
accept and utilize the initial programming it receives, it must have some base 
programming that instructs it how to accept and use that initial programming. This 
base programming within the context of the present invention is called the boot 
code. As described above, the boot code is computer code resident in the permanent 
memory of the set-top terminal that is loaded, preferably into read-only memory, at 
the factory and cannot be changed once a terminal has been deployed. 

As shown in Fig. 1, there are three general tiers or classifications of 
programming that run on or have control of the set-top terminal during different 
stages in the initialization and operation of the terminal according to the present 
invention. Referring to Fig. 1, the first classification of code is the boot code (1). 
The boot code is preferably located in the read-only memory of the set-top terminal, 
but may alternatively be loaded in the Flash memory. While running the boot code 
(1), the set-top terminal cannot provide any services to the subscriber. The function 



0 
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(2) of the boot code (1) is to search the data transport stream received from the 
headend facility to locate, acquire and begin execution of the base platform code (3) 
which is the next tier or classification of programming. 

The boot code (1) is designed to authenticate the base platform code after the 
5 base platform code is downloaded. The boot code (1) will preferably re- 
authenticate the base platform code every time it launches the base platform object 

(3) . When the base platform code (3) is executing, the execution of the boot code 
(1) is terminated and control of the set-top terminal passes to the base platform code 
(3). 

1 o The base platform code (3) may be factory loaded. However, under the 

principles of the present invention, the base platform code (3) is preferably 
transmitted to the set-top terminal from the cable headend during the initialization 
of the terminal. This allows the operator of the cable system to customize the base 
platform code (3) for optimal operation on the specific cable system where the set- 
15 top terminal is deployed. Preferably, the base platform code (3) is transmitted over 
the cable plant on an out-of-band (OOB) transport stream. However, it is within the 
scope of the present invention for the base platform code (3) to be transmitted on an 
in-band control channel. 

The base platform code (3) has two functions. The first function of the base 

2 0 platform code (3) is to provide the basic capability of allowing a subscriber to watch 

television using the signal from the cable television system. The second function is 
to control the download (5) of the next classification of code objects, i.e., the target 
operating system (O/S) and resident applications (6). The base platform code (3), 
while allowing subscribers to watch television, does not generally support any 
25 additional functions of the set-top terminal. However, the base platform code (3) 
can acquire, authenticate, authorize and execute objects of the third and final 
classification of programming (e.g., the O/S) (5). 

The third classification of programming, the operating system and resident 
applications (6) provide the additional set-top terminal functions available from the 

3 0 cable system. The operating system (O/S) is typically code from a third party (such 

as Microsoft's WinCE™) that provides access, with the resident applications, to all 
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authorized set-top terminal capabilities. The operating system typically uses an 
additional embedded code module provided by the manufacturer of the set-top 
terminal which interfaces the operating system with the particular hardware of that 
set-top terminal to enable the operating system to function with that specific set-top 
5 terminal. 

Resident applications are computer programs that run on the set-top terminal 
under the operating system. The resident applications work with the operating 
system to provide the capabilities of the set-top terminal that are in addition to 
watching television. The native suite is a specified group of software applications, 
1 0 including the operating system and perhaps various resident applications, that 
provide the intended functions of the set-top terminal. Specific elements of the 
native suite are determined by the system operator. 

As indicated in Figs. 1 and 3, the boot code (1) is preferably factory-loaded 
in the read-only memory (ROM) of the set-top terminal and is executed as soon as 
15 AC power is provided to the set-top terminal. Alternatively, the boot code may be 
executed in response to a reset signal (4) received, for example, from the headend, 
i.e., the system operator. This allows the system operator to re-initialize the set-top 
terminal whenever desired. 

The reset signal (4) is preferably received by the base platform code (3) 
2 0 which then terminates execution of the operating system and resident applications 
(6), if running, and begins execution of the boot code (1). Alternatively, the reset 
signal (4) may cause the base platform code (3) to terminate and reload the native 
suite (6) rather than execute the boot code (1). 

As described above, whenever executed, the boot code (1) acquires and loads 

2 5 the base platform code (3). The base platform code may be provided to the set-top 

terminal over the cable network from the headend or, alternatively, may be factory- 
loaded along with the boot code. The base platform code is preferably stored in 
Flash memory (303) as shown in Fig. 3. The boot code (1) will either download the 
base platform code (3), for example, over an out-of-band channel from the headend 

3 0 or, if the base platform code was factory-loaded, identify the base platform code (3) 
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in memory. The boot code (1) authenticates the base platform code (3) from 
whatever source it is obtained and then executes the base platform code (3). 

The base platform code (3) then acquires the operating system and, 
preferably, the other objects of the native suite (6). The operating system and the 
5 other objects are downloaded from the headend over the cable network. The base 
platform code (3) will acquire the operating system and other objects when first 
executed or, while running, in response to an initialization message (4) from the 
system operator. The initialization message (4) maybe provided over the cable 
network. The operating system and resident applications (6) are then executed 

1 0 when the native suite is acquired, authorized and authenticated. 

Fig. 2 is a flowchart providing a more detailed explanation of the 
initialization sequence according to the present invention. As shown in Fig. 2, when 
the set-top terminal is first powered, or an appropriate reset signal has been 
received, the boot code is executed (229). The boot code must first determine 

1 5 whether the set-top box has or must acquire the base platform code. To determine 
this, the boot code first checks the flash memory for the base platform code, the last 
known carrier (LKC) frequency of the control channel from the headend, and an 
Entitlement Management Message Provider Identification (201, 202). 

If any of three following conditions are discovered, the boot code will 

2 0 conclude that it must acquire the base platform code and will hunt for the out-of- 
band channel or the in-band channel from which the base platform code can be 
obtained. The boot code seeks to acquire the base platform code if (1) the base 
platform code, last known carrier and EMM Provider ID are not stored in the Flash 
memory, (2) the base platform code in the Flash memory fails an authentication 

2 5 check or (3) non- volatile memory indicates that hunting for the control channel 

(likely an out-of-band channel) is required. 

If the Flash check determines that a base platform code object exists, the 
boot code proceeds to execute that base platform object after appropriate 
authorization and authentication as described below. If both the base platform and 

3 0 the O/S are loaded in Flash, the boot code authorizes and authenticates the base 

platform and then launches the base platform and passes control of the set-top 
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terminal thereto. The base platform object, in turn, authorizes and authenticates 
(A&A) the O/S. The authenticated O/S is then run and control passes to the O/S. 

If the base platform code is not loaded in Flash memory, the boot code loads 
the base platform off of the out-of-band transport stream (203, 204, 207). However, 
5 before it is written to Flash memory, a successful authentication is required (206, 
205). When the authenticated base platform code is executed, the boot code passes 
control to the base platform (21 1,228). If the base platform code fails the 
authentication check (205), the failed base platform code is deleted (208) and a 
counter is incremented (209) that tracks the number of attempts to acquire and 
0 authenticate a base platform code. If the counter is below a predetermined 

acceptable number of attempts, the base platform code is again downloaded (207). 
Alternatively, if the acceptable number of attempts to download the base platform 
code is exceeded, the set-top terminal may signal the headend for a service call 
(210). 

5 Under the principles of the present invention, the boot code locates the base 

platform object using a boot code message or "bootcode_control_message" that is 
sent periodically on the out-of-band transport stream (204). Use of the 
bootcode_control_message will now be described in detail. 

When the boot code determines the need to download the base platform 
0 object, it first hunts for the control channel. A table of possible carrier frequencies 
at which the control channel or channels are being broadcast is included in the boot 
code. These frequencies may be both in-band and out-of-band. The boot code will 
cause the set-top terminal to tune each of these frequencies in turn until the control 
channel is located and a carrier lock is obtained. If no control channel is received at 
5 a particular frequency for a predetermined period of time, the set-top terminal will 
tune the next frequency in the table. It is also possible to step through a frequency 
range or sweep a frequency range to find the control channel as opposed to stepping 
through a table of frequencies. 

The control channel is a stream of data packets that can be received and used 
by the set-top terminal. In order to broadcast a number of different objects 
simultaneously, the headend will divide objects to be transmitted over the control 
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channel into packets. The packets of the various objects being transmitted can then 
be interspersed or time-multiplexed together so that several objects are all 
transmitted essentially simultaneously. The packets for each particular object will 
have a common packet identifier or "PID." Thus, a set-top terminal can identify the 
5 packets for the object it is working to acquire. By acquiring all the packets with a 
particular PID, the complete object can then be reassembled by the set-top terminal 
from the set of packets with that particular PID. 

According to the present invention, a set-top terminal can start anywhere in 
the progression to acquire an object and wrap around until all the necessary packets 

10 are downloaded. For example, the set-top terminal may load the first packet it 
receives with a PID X. That packet may be packet 50 of 1 00 marked by PID X. 
The terminal then continues to collect packets 51 to 100 with PID X, then 1 to 49. 
With all 100 packets obtained, the terminal can reassemble the packetized object. 
The headend may need to broadcast a number of objects simultaneously 

1 5 because there may be different types or classes of set-top terminals in the 

population. Each class of set-top terminals may need a different version of, for 
example, the base platform code, the O/S or a resident application. Therefore, when 
the boot code is going to initialize the set-top terminal and must acquire the base 
platform code, the boot code must determine where to acquire the base platform 

2 0 appropriate to the set-top terminal on which it is running. 

Thus, once the carrier lock is achieved and the control channel is being 
received, the boot code will begin collecting packets from the transport stream on 
the control channel that are identified with PID 1. PID 1 is dedicated to the 
conditional access message in the MPEG standard. The packets of PID 1 will 

2 5 provide the boot code running on the set-top terminal with a Conditional Access 

Table (CAT) of EMM descriptors each of which identifies a PID for a set of packets 
on the transport stream that constitute an EMM stream (Entitlement Management 
Message). 

The boot code will begin with the first EMM descriptor and begin loading 

3 0 packets from the transport stream that are marked with the EMM PID given by the 

first EMM descriptor. The EMM PID packets being acquired will contain the boot 
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code message of the present invention which, in turn, includes a platform identifier. 

The boot code, which is factory-installed in the set-top terminal, will also 
include a platform identifier that is specific to the type of terminal in which the boot 
5 code is resident. When running, the boot code will attempt to match the platform 
identifier provided at the factory with the platform identifier from the boot code 
message of the EMM PID packets. 

If no match is found, the boot code will select the next EMM descriptor in 
the CAT and check the packets of the EMM PID identified by the that EMM 
1 0 descriptor for a boot code message with a matching platform identifier. This 

continues until the matching platform identifier is found (203). It may be possible 
to search multiple EMM PID's simultaneously to reduce the EMM validation time 
and the time required to find the matching boot code message. 

If all the EMM descriptors in the CAT of PID 1 are checked and no match is 
1 5 found for the platform identifier, the boot code will look for another control channel 
on another carrier frequency by returning to the table of carrier frequencies. When 
another frequency with a control channel is identified and locked, the boot code will 
extract PID 1 and repeat the process outlined above. This continues until a boot 
code message with a platform identifier matching the platform identifier of the boot 
2 0 code is found. 

When the boot code finds a boot code message with a matching platform 
identifier, the boot code will extract a download PID (DL PID) specified in the 
matching boot code message. The download PID (DL PID) is the identifier for the 
packets that carry the code object, e.g., the base platform code object, that is 

2 5 appropriate for the type of set-top terminal with the platform identifier in the boot 

code message. The boot code can then download the base platform code object by 
acquiring the packets with the DL PID and reassembling the data in those packets 
into the base platform code. 

As shown in Fig. 2, once the base platform code has been downloaded or 

3 0 identified as already resident in Flash memory, an authentication check (206) is 
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performed to verify that the base platform code has been accurately and completely 
received and has not been altered by an unauthorized party. 

If the base platform fails the authentication check, it is deleted (208). A load 
counter may then be checked to determine the number of times the set-top terminal 

> 

5 has attempted to acquire a valid base platform code (209). If the counter exceeds a 
predetermined limit, the set-top terminal may signal the headend for a service call or 
may indicate the need to request a service call to the subscriber (210). If the load 
counter is not exceeded, the boot code will revert to the process described above and 
attempt again to download the base platform code (207). 

1 0 Alternatively, if the base platform code is authenticated, it is then launched 

(211). The base platform code will then determine if the native suite, including the 
O/S, is loaded in the Flash memory (214). If it is not, the base platform code will 
seek to download the native suite. 

With the base platform code running, the system operator may provide the 

15 set-top terminal with a set of "initialization messages" that provide, for example, 

channel maps, tables and EMM information (219, 212). These messages should be 
provided before the native suite is loaded. The initialization messages may instruct 
the set-top terminal where to acquire the native suite. 

After the native suite has been downloaded, or is found already existing in 

20 Flash memory, an authorization check is performed on the native suite (215, 220, 
224, 223). The download of the native suite will include an Object Conditional 
Access Message (OCAM) that is recorded by the set-top terminal. The 
authentication signature and authorization code for the native suite object are 
provided in the OCAM and used to authorize and authenticate the native suite in the 

2 5 manner described below. 

If the authorization check is not successful, the native suite code will be 
deleted (225, 217) and the base platform code will not attempt to acquire the native 
suit (221) until the authorization passes. If the authorization check is successful, the 
native suite and any resident applications associated with it are loaded and an 

30 authentication check is performed (222). As before, if the authentication check 

fails, the downloaded code will be deleted (217) and a load counter or timer will be 
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checked (216) to see if another attempt to download the code should be made or a 
service call signaled (213). 

Alternatively, if the authentication check (222, 218) is successful, the native 
suite and any associated resident applications will be executed beginning with the 

> O/S (226, 227). The base platform code performs the authorization and 
authentication on the O/S code. If the O/S is passes the authorization and 
authentication checks, the O/S is executed and control is transferred to the O/S. the 
BIOS (Basic Input/Output Software) may perform the authorization and 
authentication of the remainder of the native suite (215, 224, 222). 

' In summary, various portions of the boot process include an object 

authorization and authentication (A&A) process for newly acquired or located 
objects. The authorization check of the native suite is done within the base 
platform. The authorization and/or authentication of the base platform is, in nam 
performed by the boot code, which can only authenticate a base platform object. 
When running, the O/S of the native suite performs the authentication and 
authorization of subsequently loaded objects. These checks are required so that, 
given an interruption in power, etc., the authorization status of the terminal can be 
verified. If, at any point an authorization or authentication check fails, the object 
being checked is disabled. 

Authentication is performed as follows. When a code object is broadcast 
over the cable network, it is associated with an authorization code and an 
authentication signature. For the base platform object, the code identifier is 
preferably given in an object_id field of the boot code message. The authentication 
signature is preferably given in an object_description field of the boot code 
message. For other objects, such as the O/S and the native suite, the authorization 
code and authentication signature are provided in an OCAM downloaded 
independent from the object 

The authentication signature is computed mathematically using a specific 
algorithm with the code object itself as the input for the algorithm. The signature is 
then re-computed by the set-top terminal using the same algorithm and the 
downloaded code as input. If the signature computed by the set-top terminal 



WO 00/64178 



PCT/USOO/10015 



matches the one transmitted with the code, the code can be implemented with 
confidence that its has been transmitted properly, without inadvertent or malicious 
alteration. 

Fig. 3 illustrates four memory units of a set-top terminal (300) according to 
5 the present invention. A read-only memory unit (ROM) (301) contains the boot 
code (302). A flash memory unit (303) contains the base platform code (304) and 
the O/S object (306). Aside from these objects, additional flash memory is available 
(305). Two stack pointers (307, 308) designate absolute locations in the Flash 
memory (303) for the base platform code (304, 308) and the O/S (306, 307). It is 
1 0 important that these two objects may be absolutely located in Flash (303). 

A non-volatile memory unit (310) preferably has both a managed and a non- 
managed segment. The base platform code (304) may store parameters and other 
data in the either portion of the non- volatile memory unit (3 1 0). 

Finally, a random access memory unit (RAM) (309) is provided. 
15 Downloaded objects such as the base platform code, the O/S, etc. may be stored in 
the RAM (309) until authenticated. Once authorization and authentication are 
successfully completed, the objects may be transferred from the RAM (309) to the 
Flash memory unit (303) for long-term storage. 

The present invention provides for two basic ways to upgrade the basic 
2 0 platform in a population of set-top terminals once those terminals have been placed 
in full service. As illustrated in Fig. 4, these two methods of upgrade are (1) a 
universal upgrade of the entire population (i.e., the entire population tuned to a 
particular control stream) and (2) a targeted upgrade of a subset or subsets of the 
population. Both methods may make use of the boot code to perform the upgrade. 
25 As shown in Fig. 4, the system operator transmits an upgrade order from the 

cable headend to the population of set-top terminals receiving the signal from that 
headend over the cable network (401). All the set-top terminals tuned to the control 
channel on which the upgrade order is broadcast will receive the order (402). 

Each set-top terminal will first determine if the upgrade order is universal or 
30 targeted (403). A universal upgrade order will cause all the set-top terminals 

receiving it to effect the specified upgrade. If the upgrade order is universal, each 
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set-top terminal will then determine if the order is for a complete or partial upgrade 
(404). A complete upgrade requires the set-top terminal to upgrade all 
programming except the immutable boot code, i.e., the base platform object and the 
native suite, including the operating system object and the resident applications. A 
5 partial upgrade merely requires the set-top terminal to replace one or more elements 
of the native suite, i.e. the operating system object and/or one or more resident 
applications. 

If a complete upgrade is signaled, the set-top terminal will terminate the 
native suite and the base platform code (407). The set-top terminal may also delete 
10 the terminated objects. In the absence of other executing programming, the set-top 
terminal will automatically re-execute the boot code from ROM. The boot code 
then assumes control and performs the initialization procedure outlined above, 
including replacing the base platform and native suite with upgraded code objects 
downloaded over the cable network as described above. 
15 If the upgrade ordered is partial rather than complete, one or more elements 

of the native suite are to be replaced or a new element is to be added to the native 
suite. If existing elements of the native suite are to be replaced, the set-top terminal 
will terminate, and may delete, those specified elements (410). 

If the operating system is being replaced, the base platform code will assume 
2 0 control of the terminal upon termination of the existing operating system. The base 
platform code will then load a new, upgraded operating system from the cable 
network as described above (411). This may also include reloading and upgrading 
some or all of the resident applications of the native suite. 

Alternatively, if one or more resident applications are being replaced or a 

2 5 new resident application is being added, the operating system, rather than the base 

platform code, may control the downloading, authentication and authorization of the 
new code objects as described above. 

A targeted upgrade applies to a single terminal or a small group of terminals 
on a given control channel. Each terminal has a specific single-cast address and 

3 0 can, therefore, be addressed by the headend and instructed to completely or partially 

upgrade its programming. Alternatively, each terminal has one or more multi-cast 
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addresses that are shared by other terminals in the population. Four such multi-cast 
addresses for each terminal are preferred. With a multi-cast address, the headend 
can signal a code upgrade or re-initialization for a specific class of terminals that 
share that particular multi-cast address. 
5 As shown in Fig. 4, after a targeted upgrade order has been received, the set- 

top terminal will extract the terminal addressing information from the targeted 
upgrade order (405). If the addressing information from the upgrade order matches 
the single-cast or any multi-cast address of the receiving set-top terminal, that 
terminal will accept and implement the upgrade order (406). The terminal then 

1 0 determines if the upgrade order is complete or partial (404) and the upgrade process 
proceeds as outlined above. 

In this way, the system operator can very flexibly and effectively control the 
upgrading of programming in the population of set-top terminals connected to the 
cable television system. 

1 5 The preceding description has been presented only to illustrate and describe 

the invention. It is not intended to be exhaustive or to limit the invention to any 
precise form disclosed. Many modifications and variations are possible in light of 
the above teaching. 

The preferred embodiment was chosen and described in order to best explain 

2 0 the principles of the invention and its practical application. The preceding 

description is intended to enable others skilled in the art to best utilize the invention 
in various embodiments and with various modifications as are suited to the 
particular use contemplated. 
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WHAT IS CLAIMED TS- 

1 . A method for controlling an upgrade of programming in a population 
of set-top terminals connected to a cable television system, the method comprising, 
with one or more of said set-top terminals, downloading and implementing 
upgraded programming that is transmitted over said cable television system to said 
population of set-top terminals, said downloading and implementing being 
performed in response to an upgrade order transmitted over said cable television 
system to said set-top terminals. 

2. The method of claim 1 , further comprising specifying in said upgrade 
order whether said order is universal or targeted. 

3. The method of claim 2, wherein if said order is specified as universal, 
1 5 said method comprises performing said downloading and implementing with all set- 
top terminals in said population that receive said upgrade order. 

4. The method of claim 2, wherein if said order is specified as targeted, 
said method further comprises, specifying a terminal or group of terminals that are 
to respond to said upgrade order by performing said downloading and implementing 
of said upgraded programming. 



20 



5. The method of claim 4, further comprising: 
comparing a target specification transmitted with said upgrade order to a 
2 5 corresponding specification or set of specifications that is stored in each of said set- 
top terminal; and 

performing said downloading and implementing of said upgraded 
programming if said target specification transmitted with said upgrade order 
matches any corresponding specification stored in that set-top terminal. 

30 
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6. The method of claim 1 , further comprising specifying in said upgrade 
order whether said order is complete or partial. 



7. The method of claim 6, further comprising, if said upgrade order is 
5 specified as complete, terminating all programming executing on a set-top terminal 
receiving said upgrade order and automatically executing a boot code of that 
terminal, wherein said boot code then performs said downloading and implementing 
of said upgraded programming. 

10 8. The method of claim 7, further comprising, with said boot code, 

identifying upgraded programming for download that is appropriate to that set-top 
terminal being upgraded by matching a platform identifier stored in that set-top 
terminal to a platform identifier in a download locator message that specifies where 
in a data transport stream that set-top terminal will acquire upgraded programming. 

15 

9. The method of claim 6, further comprising, if said upgrade order is 
specified as partial, specifying one or more elements of a native suite that are to be 
upgraded or added. 

2 0 10. The method of claim 9, further comprising replacing or adding said 

one or more elements of said native suite in response to and in accordance with said 
upgrade order. 

11. A system for upgrading programming in a population of set-top 
2 5 terminals connected to a cable television system, the system comprising: 

means for transmitting an upgrade order and upgraded programming to said 
set-top terminals over said cable television system; 

means for receiving said upgrade order and upgraded programming in each 
of said set-top terminals; and, 
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in each set-top terminal, means for controlling download and implementation 
of said upgraded programming by that set-top terminal in accordance with said 
upgrade order. 

12. The system of claim 1 1 , further comprising means for specifying in 
said upgrade order whether said order is universal or targeted. 



13. The system of claim 12, wherein, if said order is specified as 
universal, said means for controlling download and implementation of said 

1 0 upgraded programming in each set-top terminal receiving said upgrade order will 
download and implement said upgraded programming. 

14. The system of claim 12, wherein, if said order is specified as targeted, 
said system further comprises, means for specifying a terminal or group of terminals 

1 5 that are to respond to said upgrade order by downloading and implementing said 
upgraded programming. 

1 5 . The system of claim 1 4, further comprising, in each said set-top 
terminal, means for comparing a target specification transmitted with said upgrade 

2 0 order to a corresponding specification or set of specifications that is stored in that 
set-top terminal; 

wherein said means for controlling download and implementation of said 
upgraded programming downloads and implements said upgraded programming if 
said target specification transmitted with said upgrade order matches any 
2 5 corresponding specification stored in that set-top terminal. 

1 6. The system of claim 1 1 , further comprising means for specifying in 
said upgrade order whether said order is complete or partial. 



30 



1 7. The system of claim 1 6, further comprising, if said upgrade order is 
specified as complete, means for terminating programming executing on a set-top 
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terminal that receives said upgrade order and automatically executing a boot code of 
that terminal, wherein said boot code then performs said downloading and 
implementing of said upgraded programming. 

5 18. The system of claim 17, further comprising means for identifying 

upgraded programming for download that is appropriate to that set-top terminal 
being upgraded by matching a platform identifier stored in that set-top terminal to a 
platform identifier in a download locator message that specifies where in a data 
transport stream that set-top terminal will acquire upgraded programming. 

10 

19. The system of claim 18, further comprising, if said upgrade order is 
specified as partial, means for specifying one or more elements of a native suite that 
are to be upgraded or added. 

15 20. The system of claim 19 wherein said means for controlling download 

and implementation of said updated programming replace or add said one or more 
elements of said native suite in accordance with said upgrade order. 
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